Security firm is buying iOS 9 exploits for $1 million

Zerodium, a startup that bills themselves as the "premium zero-day vulnerability and exploit acquisition program", are currently running a massive bug bounty program that is offering $1 million to developers who discover critical, exploitable flaws in iOS 9.

The company is willing to pay a total of $3 million for three separate iOS 9 exploits; $1 million to each group of developers. However it's going to take a particularly serious exploit to claim the million dollar bounty, as Zerodium's requirements are lengthy and strict.

The exploit in question must use an unknown flaw and lead to a "remote, privileged, and persistent installation of an arbitrary app", essentially making it an untethered jailbreak of iOS 9. On top of this, the flaw must be exploitable silently, reliably and remotely without any user interaction, with attacks originating through either a web page, SMS or MMS.

The exploit must be delivered exclusively to Zerodium and must work on all iOS 9 devices newer than and including the iPhone 5 and 3rd-gen iPad. The program will run through to October 31st, although if three exploits are discovered before then, the program will end early.

Zerodium doesn't state what the zero-day exploits will be used for, although the company lists its clients as major corporations "in need of advanced zero-day protection" as well as governments "in need of specific and tailored cybersecurity capabilities".

It's most likely that these exploits will be packaged up for groups that require silent backdoor entry into iOS 9 devices, such as governments that want to tap into and spy on an iPhone user. These type exploits that remain unpatched and unknown to the public typically command high prices on the market, which is why Zerodium is offering such a large sum for iOS 9 exploits.